Cybersecurity researchers have identified a series of malicious packages that were uploaded to the Python Package Index (PyPI), specifically designed to exploit popular social media platforms TikTok and Instagram. The malicious packages, which include checker-SaGaF, steinlurks, and sinnercore, function as checker tools to verify stolen email addresses against the APIs of these platforms.
Socket researcher Olivia Brown noted that the package checker-SaGaF verifies whether an email is linked to a TikTok or Instagram account by sending HTTP POST requests to the corresponding password recovery and login APIs. “True to its name, checker-SaGaF checks if an email is associated with a TikTok account and an Instagram account,” Brown said in a recent analysis.
This sophisticated approach allows threat actors to craft targeted attacks, including doxing, spamming, and credential stuffing. These validated email lists are apparently sold on the dark web, highlighting a significant risk to users who may unknowingly become targets of malicious actors.
Another package, steinlurks, additionally targeted Instagram accounts through forged requests that mimic the social media platform’s legitimate Android app. This tactical evasion of detection is emblematic of the increasing sophistication of cybercriminals. Meanwhile, sinnercore aims to exploit Instagram’s password recovery functionality, potentially allowing attackers to gain unauthorized access to user accounts.
The alarming trend is compounded by the emergence of another malicious package, dbgpkg, which posed as a debugging utility that secretly implanted a backdoor on user systems for unauthorized data access. Although now removed from circulation, it had been downloaded approximately 350 times.
Furthermore, similar malicious conduct was observed in a recently discovered npm package called koishi‑plugin‑pinhaofa, which targeted chatbots built on the Koishi framework, facilitating data exfiltration by exploiting user interactions.
ReversingLabs researchers emphasized the sophistication seen in these cyberattacks, indicating a calculated effort to remain undetected. The use of similar malicious techniques across various packages suggests a level of affiliation or shared strategies among threat actors.
The growing number of harmful packages stresses the importance of vigilant cybersecurity practices, particularly in open-source frameworks. Users are advised to exercise caution, particularly when dealing with unknown or suspicious packages in Python and other programming environments. For detailed analysis, please refer to Socket’s findings here and ReversingLabs’ report here.